Security Post September 11: What Have We Learned?

By James Brown.

Following the successful United States operation against al-Qaeda and the death of Osama Bin Laden, it is a fitting time to  review how our security approach and capabilities have changed in response to the Twin Towers attack, associated events and the ongoing evolution of terrorism and other global issues.

The immediate reaction was to increase a range of physical security measures and personnel practices, the real effectiveness of which was open to debate. Existing security measures, such as the ubiquitous surveillance capability in the United Kingdom, were of great assistance in the resolution of investigations following the London bombings. However, they  seem to have had little dissuasive effect as the volume of material and lack of integration of the capabilities could only be addressed after the event.

The missing ingredient in the pre-September 11 world was effective intelligence sharing and analysis arrangements. This situation has since improved but still has some distance to go. One would suggest that timely and accurate collection, analysis, and dissemination of intelligence is the key to both prevention and resolution of security incidents whether of a terrorist nature or from an ongoing persistent threat from espionage or organised criminals.

At a Canberra University National Security Lecture on 25 February 2011, Dennis Richardson, Secretary Department of Foreign Affairs and Trade (formerly Director General ASIO), said, “The world faces significant security and economic challenges that require the input of a wider range of players than in the past. No one country can tackle on its own global terrorism, nuclear proliferation, climate change, and the like. No one country on its own can achieve the return of the world’s financial system to health, nor global trade liberalisation, nor the fulfilment of the millennium development goals, nor set new globally recognised norms on, for instance, cyber space. There will be a variety of forums in which the challenges of the twenty-first century will be negotiated”.

In a related and earlier comment, the Attorney General, Robert McClelland, in his address to attendees at the Security In Government 2010 conference, said, “We’ve seen a complete shift in our thinking on the protection of critical infrastructure and the preparation of responses to an attack in Australia or involving Australians. We are now focussed on an ‘all-hazards’ approach – preparing and planning for an attack of any kind, man-made or natural – by enhancing our resilience to withstand and bounce back from such a threat”. The Government developed and launched the Cyber Security Strategy and established two important new organisations: the Cyber Security Operations Centre (CSOC) in the Department of Defence and the Computer Emergency Response Team (CERT Australia) in the Attorney General’s Department.

In the context of this changing and volatile global environment, it is worth looking at the practice and capability areas that make up our capacity to reduce the risk from security threats. Some of these result from September 11 but most represent a recognition of and response to the sophistication and complexity of the variety of threats to our security today.

What follows is a brief overview of the changes and trends in these areas.

Strategic Level Initiatives

Globally, we are seeing the development, acceptance and application of international security-related standards. These range from the use of the ISO 31000 Risk Management Standard, as applied to identifying and managing security risks, through to specific standards for supply chain security (ISO 28000), and cyber security (ISO27001/2). Most interesting, is the ongoing work of the ISO Technical Committee (TC223) for Societal Security. It has developed a comprehensive plan and road map for standards development, ranging from resilience planning and emergency management, through to the alignment of colour coding for alerts across states and nations. Australia is participating in this activity and has created a mirror committee (MB021).

Commonwealth Protective Security Policy Framework (CPSPF)

The CPSPF was also launched at the 2010 Security In Government conference. It provides guidance that is useful to the public and private sectors alike. It is theoretically underpinned by the application of the Risk Management Standard to the security issue.

The framework mandates action in the following practice areas:

Personnel security. Agencies are to ensure the people they employ are suitable and meet high standards of integrity, honesty and tolerance. Where necessary, people are to be security-cleared to the appropriate level.

Information security. Agencies are to ensure that all official information is appropriately safeguarded to ensure its confidentiality, integrity and availability by applying safeguards so that:

  • only authorised people, using approved processes, access information
  • information is used only for its official purpose, retains its content integrity and is available to satisfy operational requirements
  • information is classified and labelled as required
  • information created, stored, processed, or transmitted in or over government information and communication technology (ICT) systems is to be properly managed and protected throughout all phases of a system’s life cycle, in accordance with the protocols and guidelines set out in the Protective Security Policy Framework.

Physical security. Agencies are to provide and maintain:

  • a safe working environment for their employees, contractors, clients, and the public
  • a secure physical environment for their official resources.

Physical Security

In considering the latter practice areas first, it is reasonable to suggest that the enhancements in physical security mitigations are the most obvious areas of change in the past ten years.

The US Department of Housing Security Handbook contains some definitions that resonate with the Australian and New Zealand approach to defining physical security and supports the approach in the CPSPF.

  • Physical security is defined as that part of security concerned with physical measures to:
  • Provide for the individual and collective safety and well-being of personnel, as well as visitors and clients;
  • Prevent unauthorized access to a designated facility; and
  • Protect and safeguard information, equipment, materials, and documents within the facility against espionage, sabotage, damage, theft, and/or unauthorized disclosure.

The area of physical security has seen considerable enhancements, ranging from improved physical barriers, through to enhanced fully integrated access control systems, to video surveillance capabilities. The following areas extend our capacity to enhance control, and therefore, mitigate risk of unauthorised access, yet at the same time challenge issues of privacy and freedom:

Biometrics – The range of biometric measures from fingerprints, facial recognition and iris scanning, to DNA testing, can form a graduated set of controls that can be applied to enable access or system functionality for only authorised persons (and preventing or identifying an unauthorised person). However,  the technology raises questions about who should be allowed to implement biometric security and on what grounds. As the use and collection of biometric data is still seen by many as an invasion of privacy, questions must be answered as to what provisions are used for protecting and managing this intrusive data. The recent debate about bars and clubs using fingerprint-entry controls emphasises this point.

Body Scanning – The furore about body scanners is indicative of the sensitivity of the public to the issue. The public generally accepts the intrusive nature of scanning and searching but there are times when the mitigation is deemed so inappropriate or intrusive that other methods may be more appropriate.

Video and audio surveillance – It is reasonable to suggest that most members of the public are not concerned about ubiquitous video surveillance as it gives an enhanced sense of public safety in a variety of situations. The concern is about the misuse of surveillance footage, especially in the case of covert surveillance when transparency of practice, purpose, information security and privacy protection needs to be fully demonstrated. The media is always ready to focus on the occasions where such footage is misused. There remains no doubt that in a post September 11 world, widespread surveillance is here to stay.

Convergence

Probably one of the most interesting trends in security is the convergence of physical security, information technology, and corporate management. The article will later address the corporate level but, at the practical level, Terry Martin and Alexander Bakhto in The Convergence of Physical Security suggest “The convergence of physical security with information security, in addition to being driven by the InfoSec physical security model describing the entire facility as a security system, is also developing in support of another objective: Single Sign On (SSO) for access control and the management of authorised persons. SSO is driven by powerful directives such as Homeland Security (HSPD-12) and FIPS 201”.

In practice, SSO means one thing: smartcard technology. SSO requires the convergence of traditional physical security with IT for a number of reasons, including:

  • Reduction of the cost associated with issuing and revoking authentication and access control credentials across information systems and facilities
  • Capability of knowing where a person is in relation to network authentication.

This trend, when coupled to smart locks, surveillance, monitoring systems and the control of access to information, communication technology and data is a fundamental change in determining who we are in the workplace with a view to better understanding who should have access to what and where.

Personnel Security

Identity management, vetting and staff selection processes have led the way in preventing those posing a risk from accessing what we must protect. In an article of this nature, the aim is not to talk in detail about the technologies such as biometrics, data matching, and computer-based personnel investigative practices, but rather to touch on people management and leadership as the key issues for the security of people.

In every case where I have had direct experience of people ‘going wrong’ in the work place, whether as extreme as espionage or as common as petty fraud or harassment, the symptoms were present well before the trigger events. The indicators were generally known to peers and first-line supervisors who, for many personal and cultural reasons, did not report concerns until it was too late.

Security problems arising from people often come down to the persons in the workplace failing to take responsibility for their own and others’ security and behaviour. Good people-management is the key: know your people, set the values and monitor behaviour in an environment of trust where it is safe to raise issues and where prevention and remediation is the strategy, not punishment. This is enhanced by effective security training focused on a balanced view of the threats and developing a proactive security culture among staff.

Information And Telecommunications Security

We have seen the rise of terrorist capability to use the internet to promote their cause, recruit members, plan and inspire actions and manage their organisations. While this is a significant boon to the terrorist, it is also of considerable assistance to the intelligence collector with sufficient capability to use the information to generate an effective picture of terrorist planning and operational capability.

Nevertheless, the changes in the ITC area are less related to terrorism than to the capacity of ITC attack technologies for use by issue-motivated groups and for corporate and state espionage.

The currently-running saga of the attack by ‘Anonymous’ on security firm HBGary is well illustrated on the internet. The website for Ars Technica provides two levels of insight: the why and the how.

The Why

The attack on security firm HBGary and its subsidiary, Federal HBGary, commenced in earnest when Federal CEO, Aaron Barr, thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group’s actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year.

When Barr told one of those he believed to be an Anonymous ringleader about his forthcoming exposé, the Anonymous response was swift and humiliating. HBGary’s servers were broken into, its emails pillaged and published to the world, its data destroyed and its website defaced. As an added bonus, a second site owned and operated by Greg Hoglund, owner of HBGary, was taken offline and the user registration database published.

Ars Technica can provide excellent detail about the ‘how’, but it is worth noting here the interesting risk-taking behaviour of members of the company that made Anonymous’s job that much easier.

  • Key executives used the same passwords on social networking sites as they used at work.
  • They used common email networks for business, and therefore, allowed access to company information.
  • They did not maintain sufficient monitoring and protective software on their system.

As a result of this compromising of HBGary-supported government interests, the US Congress is now investigating all HBGary contracts with the US Government and Federal CEO, Aaron Barr, has paid the employment penalty.

A further significant development is the continuing rise of cyber espionage. Many countries will use their skills in cyber warfare to enhance their national interests whether it is the alleged use of the Stuxnet virus by Israel to undermine the nuclear program in Iran, or alleged attacks by Russia against Estonia and Georgia.

The Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation, which is a report prepared for the US-China Economic and Security Review Commission, identified cyber espionage as a growing and immediate concern. The authors of the report indicate that this arises from the discovery that unclassified US government and private sector information, once unreachable or requiring years of expensive technological or human asset preparation to obtain, can now be accessed, inventoried, and stolen with comparative ease.

The Commission identified China as the most frequently cited, primary actor behind much of the activity and US officials are increasingly willing to publicly acknowledge that China’s network exploitation and intelligence collection activities are one of the United States’ most consuming, counter-intelligence challenges.

The People’s Liberation Army and state security organisations are employing this capability to mount a large-scale  network exploitation effort  against the United States and many countries, according to US officials, targeted governments and media reporting of these incidents.

There has been a long-term, persistent campaign to collect sensitive but unclassified information from US government and defence industry networks using network exploitation techniques. As of 2007, according to US Air Force estimates, China has successfully captured at least 10 to 20 terabytes of data from US Government networks alone, and that figure has undoubtedly grown in the past two years.

The Special Report: Espionage with Chinese Characteristics, published by Stratfor Global Intelligence (www.stratfor.com/memberships/156898/analysis/20100314_intelligence_services_part_1_spying_chinese_characteristics), identifies three main Chinese intelligence-gathering methods, which often overlap:

  • ‘human-wave’ or ‘mosaic’ collection, which assigns thousands of assets to gather a massive amount of information.
  • recruiting and debriefing Chinese-born residents of other countries
  • patiently cultivating foreign assets of influence for long-term leverage, insight, and espionage.

Chinese intelligence operations stand out most of all because of their sheer number. China’s trademark human-wave and mosaic intelligence-gathering techniques reflect the traditional Chinese hallmarks of patience and persistence, as well as the centuries-old Chinese custom of ‘guanxi’, the cultivation and use of personal networks to influence events and engage in various ventures.

However, do not think China is alone in this activity. All nation states with the technology have identified the efficacy of intelligence collection through effective, open-source collection supplemented by targeted, covert collection.

The recent report, Symantec Internet Security Threat Report, Trends for 2010, indicates that the volume and sophistication of malicious activity increased substantially in 2010. The Stuxnet worm, mentioned earlier, became the first piece of malicious code able to affect physical devices while simultaneously attempting exploits for an unprecedented number of zero-day vulnerabilities.

The report advises, “While it is highly unlikely that threats such as Stuxnet will become commonplace because of the immense resources required to create it, it does show what a skilled group of highly organized attackers can accomplish. Targeted attacks of this nature have shown that determined attackers have the ability to infiltrate targets with research and social engineering tactics alone. This matters because recent studies have shown that the average cost per incident of a data breach in the United States was $7.2 million, with the largest breach costing one organization $35.3 million to resolve”.

With stakes so high, organisations and individuals need to focus their security efforts to prevent breaches.

Social Networking

The risks of a poorly-managed, social networking presence can range from cyber bullying of individuals to the downfall of an organisation. While social networking sites may provide companies with a mechanism to market themselves online, they can also have serious consequences with information posted by employees on social networking sites used in social engineering tactics as part of targeted attacks as well as serve as a vector for malicious code infection. Organisations need to create specific policies for sensitive information inadvertently posted by employees.

Security Risk Management

The arrival of ISO 31000 Risk Management Standard and the ongoing development of ISO 28000, which owes so much to our Australian standard 4360 and for security implementation to HB167, are charting a fundamental course for security professionals in the international environment.

Integrating risk management concepts into security practice areas not only provides strong rationale for security measures but also enhances the efficiency and effectiveness of the chosen mitigations. It is fair to say that ISO31000 underpins the management systems that are being developed across the spectrum of standards to sustain and protect our society.

Security professionals can today talk the language of the corporation when they integrate their disciplines with the needs of companies. The risk assessment and the recommendation of appropriate mitigations underpin the capacity of a security professional to explain the difference they make to those with no security background but other responsibilities such as finance and property management.

This observation leads to the developing interest and application of enterprise-level security. ASIS International and ISACA (Information Systems Audit and Control Association) combined to form the Alliance for Enterprise Security Risk Management (www.aesrm.org) which commissioned a number of papers downloadable from the website.

In considering the issue, the paper on enterprise security developed by Booz, Allen and Hamilton identified a strategic level of convergence as “… a trend affecting global enterprises that involves the identification of security risks and interdependencies between business functions and processes within the enterprise and the development of managed business process solutions to address those risks and interdependencies”. The paper identified the need to break down organisational barriers and obstacles to information sharing that prevent organisations from effectively identifying and managing security risk within the wider perspective of the enterprise. In the light of September 11 and subsequent incidents, the truth of this observation is well borne out.

Where To From Here

The French philosopher and editor, Alphonse Karr, said, “the more things change, the more they stay the same”. In the case of security, I fear he is wrong. Many of the motivations that drive security risk remain the same – religion, hatred, greed, and international competition, but the scale of the risk and consequences are of a whole new order.

So where do we go from here? This article has merely touched on some of the emergent issues in the practice and management areas of security. Our challenge will be to find and develop people willing to undertake the tasks of delivering security with expertise, ethics, competence, commitment, and imagination.

The Australasian Council of Security Professionals is one such group attempting the challenge. In the United Kingdom, we see the Security Institute moving forward in a similar fashion. Industry associations such as ASIAL, SPAAL and the VSI are doing their part. Internationally, ASIS International and ISACA are providing leadership and the efforts made by ISO and standards bodies in Australia and New Zealand are moving forward. The Federal Government is also doing its part but we need the states to work together on issues as simple as training and licensing where efforts for national remediation seem to be languishing in some quarters.

For a full list of references, please email editorial@australianmediagroup.com

If you are interested in taking up some of these challenges in the areas of practice, professionalism and development, feel free to contact Jason at jason.brown@securityprofessionals.org.au